Field of the Invention
The present disclosure relates to security in a communications system, and more particularly, but not exclusively, to management and creation of user security related data and credentials for user equipment.
Description of the Related Art
A communication system can be seen as a facility that enables communication sessions or data sessions between entities such as user equipment and/or other nodes associated with the communication system. The communication may comprise, for example, communication of voice, data, multimedia and so on. An user equipment connected to a communication system may, for example, be provided with a two-way telephone call or multi-way conference call or with a data connection. In addition voice call services, various other services, for example enhanced content services such as multimedia services or other data services, security services may be provided for a user. An user equipment may communicate data to and from a server entity, or between two or more user equipments.
A communication system typically operates in accordance with a given standard or specification, which sets out what the various entities associated with the system are permitted to do and how that should be achieved. Communication protocols, parameters, functions, reference points and interfaces, which shall be used for a connection are typically defined by the standards or specifications.
Communication systems providing wireless communication for user equipment are known. These systems are commonly referred to as mobile systems, although in certain systems the mobility may be restricted to substantially small areas. An example of the mobile systems is the public land mobile network (PLMN). Another example is a mobile system that is based, at least partially, on use of communication satellites. Mobile communications may also be provided by means of other types of systems, such as by means of wireless local area networks (WLAN), Personal Area Networks (PAN), Wide Area Networks (WAN) or some other form of network that provides Internet Protocol (IP) access.
In a wireless system an access node provides user equipment with access to the communication system. An user equipment may be in wireless communication with two or more access nodes at the same time. Communication on the wireless interface between the user equipment and the access node(s) can be based on an appropriate communication protocol. Examples of the various wireless access systems include CDMA (Code Division Multiple Access), WCDMA (Wide-band CDMA), TDMA (Time Division Multiple Access), FDMA (Frequency Division Multiple Access), or SDMA (Space Division Multiple Access), Institute of Electrical and Electronics Engineers (IEEE) 802.11, DECT (Digital Enhanced Cordless Communication), WLAN, WAN or cable connection and further developments and hybrids thereof.
The operation of the network apparatus is controlled by an appropriate control arrangement commonly including a number of various control entities. One or more gateways or intermediate servers may also be provided for connecting a network to other networks or hiding network internal details from external nodes. For example, a PLMN network may be connected to other mobile or fixed line communication networks or data communication networks such as an IP (Internet Protocol) and/or other packet data networks.
A user or the user equipment may need to be authenticated before he/she is allowed to access or otherwise use various applications and services. This may be required for security and privacy reasons, but also to enable correct billing of the service usage. For example, it may need to be verified that the user is whoever he/she claims to be, that the user has the right to use a certain service, that the user can be provided with an access to sensitive information and so on. In an authentication process, a user can be identified based on various values associated with the user known to a third party.
Various authentication mechanisms are already in place, or have been proposed. A non-limiting example is an authentication mechanism proposed by the third generation partnership project (3GPP) called the ‘Generic Authentication Architecture’ (GAA) or the GAA version defined by the Third Generation Partnership Project 2 (3GPP2). The GAA is indented to be used as a security procedure for various applications and services for users of mobile user equipment, such as mobile stations for cellular systems. GAA based security credentials can be used for authentication, but also for other security purposes, like integrity and confidentiality protection of messages. The GAA is intended to be based on shared secrets that are stored on specific secure storage entities provided in association with the user equipment and subscriber databases. The secure storage and credential generation entity of a user equipment may be provided by an appropriate security function, for example a security module, an identification module or another secure environment in the user equipment. Also, the storage and the credential generation can be performed by two different entities. The subscriber database may be provided by an appropriate network entity, for example a Home Location Register (HLR), Home Subscriber Server (HSS), Authentication Authorization and Accounting (AAA) server or Domain Name Service (DNS) server like database.
Furthermore in 3GPP there has been proposed (3GPP TS 33.220) an authentication infrastructure. This infrastructure may be utilised to secure interworking with application functions in the network side and on the user side to communicate in situations where they would not otherwise be able to do so. This functionality is referred to as “bootstrapping of application security”, or more generally simply as “bootstrapping”, which is carried out in generic bootstrapping architecture (GBA).
The general principles of bootstrapping are that a generic bootstrapping server function (BSF) allows user equipment (UE) to authenticate therewith, and agree on session keys, which are then used for a secure interaction between a Network Application Function (NAF) and the UE. Such authentication is preferably based on authentication and key agreement (AKA). By running AKA algorithms, the mobile terminal and the network mutually authenticate each other and agree on service specific session keys. After this authentication, the UE and an network application function (NAF), which may also be referred to as a service provider, may run some application specific protocol where the security of messages is based on the service specific session keys agreed between the UE and the BSF.
The bootstrapping function procedure is not intended to be dependent upon any particular network application function. The server implementing the bootstrapping function must be trusted by the home operator to handle authentication vectors. Network application functions in the operator's home network are to be supported, but also the support of network application functions in a visited network, or even in a third network is possible.
In the proposals for implementation of bootstrapping techniques, it is proposed that the UE sends a service request to a NAF. The NAF must then communicate with the BSF in order to retrieve the service specific session key(s) required for authentication with the UE.
Typically as described above the secure storage entity of a user equipment is provided by an appropriate security function, for example a security module, or an identification module such as a universal integrated circuit card (UICC) or a trusted environment in the terminal.
This approach has limitations. Firstly when the device is not intended to be used as a conventional telephone and therefore does not contain a UICC or equivalent subscriber information module (SIM) card. For example a user attempting to access a network function with a handheld device such as the Sony PlayStation Portable (PSP) would not be able to authenticate the user due to a lack of a UICC. Furthermore a user operating a tablet PC, personal digital assistant (PDA) personal computer or laptop connecting over a wireless or fixed link would not be able to access the network function and gain access to the service that the user may be used to from his mobile subscription. Also, it is currently not possible to have a generic single sign on process to NAF-based services over different access networks with an authentication that is bound to the presence of a UICC or similar smart card. Hence, users are required to remember a large range of passwords and Personal Identification Numbers (PIN) e.g. for Voice over IP solutions, access to his mobile phone, web service access etc.
Secondly where the device is to be used by more than one person, the switching between users requires the user equipment to be powered down, have the current UICC removed, the new UICC for the next user inserted and the user equipment to be powered back up, which is time consuming, user unfriendly, battery draining process and potentially capable of damaging the UICC. Although an integrated security module overcomes the problem of switching the UICC it also prevents the independent monitoring of each user. For example the device with a single module with a single ID would require further control entities to prevent children from being able to access adult material.